Categories: Regulation

NHS Care.Data 2.0: What Should It Look Like?

The Care.data programme still lives on – albeit not with the same name, and as the NHS has made clear it will be using resources that it put into this project up until now for future data-sharing initiatives.

The scheme was launched in a bid to allow primary care data from GP practices to be shared with the Health and Social Care Information Centre (HSCIC) and clinical care groups (CCGs), and eventually matched with secondary care data, anonymised and shared with researchers.

But there was controversy over who the NHS will exactly be sharing the data with, and how it would be notifying patients of this. Privacy campaigners insisted that there should be an opt-out for patients – but the NHS managed to make a mess of this too, with a £1m leaflet campaign which failed to raise awareness, and many patients who had opted-out still having their data shared.

Déjà vu

There is a striking similarity about the way the NHS has seemingly shelved Care.data.

Several years ago, an internal review by the NHS information centre (NHS IC) found that it made “significant lapses” in recording the release of data to private companies between 2005 and 2012.

Within that period, 588 data releases were made to 178 private-sector organisations which didn’t include charities, for the alleged purpose of “analytics, benchmarking and research”.

Just ahead of the report, dubbed the ‘Data Release Review’ being published, the NHS information centre was renamed the Health and Social Care Information Centre (HSCIC). Care.data was subsequently launched by NHS England, and was run by HSCIC. Now that Care.data has been dropped – you guessed it – HSCIC has been renamed NHS Digital. It seems as if the toxic brand associated with Care.data also transferred over to HSCIC. The reason for changing its name twice? To dissolve any responsibility of sharing data with private companies, and start fresh.

So what should the NHS do now?

What is clear is that the NHS hasn’t been transparent through the whole Care.data process. Merely moving away from the brand name of Care.data and working on a project behind the scenes is likely to cause even more controversy and ill-feeling if and when details leak about any such project. The NHS should have learnt from its mistakes of the Care.data programme, and it should work with privacy campaigners to ensure everything it is doing is in the interests of patients. There is no doubt that the NHS needs to improve the way it shares data, because this will in-turn improve the health service, and benefit its patients. However, patients need to know what data is being shared and who it is being shared with, and they should have the option to opt-out.

This means the NHS needs to make every patient aware of the project or projects, and of their choices. In order to do that, it must simplify the wording of the opt-outs; most of the material that the NHS has on its Type-1 and Type-2 opt-outs is overly complicated. The opt-outs should be made electronically, and as once suggested by @Marcus_Baw, they should look more like this:


Dame Fiona Caldicott proposed a new opt-out mechanism based on either a single question or two linked questions, but she failed to indicate a favourable option which has delayed any new programme further. This delay has an impact on the health service; the NHS needs a model to be able to share data, and it needs its patients on board. It needs to act swiftly, so that UK citizens – and not private companies – can start reaping the rewards.

Take our cybersecurity of 2016 quiz here!

Ben Sullivan

Ben covers web and technology giants such as Google, Amazon, and Microsoft and their impact on the cloud computing industry, whilst also writing about data centre players and their increasing importance in Europe. He also covers future technologies such as drones, aerospace, science, and the effect of technology on the environment.

View Comments

  • Why should opt-outs have to be made electronically ? Forcing those who may not feel comfortable with the internet have to use it. If we consider the specific process for opting out or indeed asking any organization for data it holds. In the first instance the person making the request has to identify themselves. By this very fact they are providing some Personally Identifiable Information (PII). Certainly in the latter case handing over some information that the organization may not have had in the first instance. The question is then, if a person identifies themselves to opt-out or have confirmation of data held about themselves, does that mean the person's name, address and date of birth can 'legally' be retained by the organization to which the request is sent ? By the very fact that the person has to send their PII to complete the process, is this considered 'consent' ?

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago